[FX.php List] Upload script in PHP?

Daniel P. Brown ogt at parasane.com
Mon Mar 13 14:53:27 MST 2006


    Yes and no, Bob.  To be on the safe side, it's always better to air 
on the side of caution and not disclose any more information than is 
necessary.  For example, if you are using an outdated version of OpenSSL 
or something similar with known vulnerabilities, phpinfo() discloses the 
version number and that may open you up to attack.

    As always, it's just safer to be a bit more paranoid, despite the 
fact that you're not likely to encounter problems due to phpinfo() 
disclosure.

          ~ Dan

Bob Patin wrote:
> Just curious: why do people recommend removing the phpinfo file? Is it 
> a security concern?
>
> Thanks,
>
> Bob
>
>
> On Mar 13, 2006, at 2:31 PM, Marisa Smith wrote:
>
>> Bob
>>
>> If you create a phpinfo.php file, with this as the content:
>>
>> <?php
>> phpinfo();
>> ?>
>>
>> You will be able to see the path to your php.ini file so you can find 
>> and edit in in the terminal.  Be sure to remove this info file when 
>> you are done.
>>
>> Marisa
>>
>> ---------------------------------------------------------------------
>> Marisa Smith, President
>> DataSmith Consulting, LLC
>> 9206 Huron River Drive
>> Dexter, MI 48130
>> Phone & Fax: (734) 426-8077
>> http://www.datasmithconsulting.net
>> Filemaker Solutions Alliance Associate Member
>>
>> On Mar 13, 2006, at 3:24 PM, Bob Patin wrote:
>>
>>> Actually, I'm in Mac OS X Server, which is Apache; anyone out there 
>>> familiar with OS X Server who could tell me how to get to 'php.ini' 
>>> in the Terminal? I seem to recall editing a text file in there 
>>> before, but can't remember the command to do that.
>>>
>>> Thanks,
>>>
>>> Bob Patin
>>> Longterm Solutions
>>> bob at longtermsolutions.com <mailto:bob at longtermsolutions.com>
>>> 615-333-6858
>>> http://www.longtermsolutions.com
>>>
>>>   CONTACT US VIA SKYPE:
>>>      USERNAME: longtermsolutions
>>>
>>>   CONTACT US VIA INSTANT MESSAGING:
>>>      AIM or iChat: longterm1954
>>>      Yahoo: longterm_solutions
>>>      MSN: bob at patin.com <mailto:bob at patin.com>
>>>      ICQ: 159333060
>>>
>>>
>>> On Mar 13, 2006, at 1:42 PM, Daniel P. Brown wrote:
>>>
>>>>
>>>>
>>>>    Permissions on the upload folder, if it's going to be public, 
>>>> should be 777.  Conversely, you can change the ownership to nobody 
>>>> (or whatever the Apache user on your system is), and chmod it to 
>>>> 700, or change the group to nobody (again, whatever your Apache 
>>>> user is) and chmod it to 770.
>>>>
>>>>    If you're using a standard Linux system, php.ini is usually just 
>>>> in the /etc/ directory.  You can type `locate -u` and then `locate 
>>>> php.ini` if you want to try to find it that way.  It's possible 
>>>> that your slocate database is outdated, hence the inability to 
>>>> locate the file.
>>>>
>>>>          ~ Dan
>>>>
>>>> Bob Patin wrote:
>>>>> Dale,
>>>>>
>>>>> Thanks for the reply; I'd tried that code but I suspect I need to 
>>>>> change the permissions on the "upload" folder. What do you 
>>>>> recommend that I set the permissions to for that folder, if not "www?"
>>>>>
>>>>> Also, how do I get to the php.ini file? I tried searching for it 
>>>>> on the web server but didn't find it, but I vaguely recall working 
>>>>> on it in the past. Do I have to use Terminal?
>>>>>
>>>>> Thanks a lot,
>>>>>
>>>>> Bob Patin
>>>>> Longterm Solutions
>>>>> bob at longtermsolutions.com <mailto:bob at longtermsolutions.com>
>>>>> 615-333-6858
>>>>> http://www.longtermsolutions.com
>>>>>
>>>>>   CONTACT US VIA SKYPE:
>>>>>      USERNAME: longtermsolutions
>>>>>
>>>>>   CONTACT US VIA INSTANT MESSAGING:
>>>>>      AIM or iChat: longterm1954
>>>>>      Yahoo: longterm_solutions
>>>>>      MSN: bob at patin.com <mailto:bob at patin.com>
>>>>>      ICQ: 159333060
>>>>>
>>>>>
>>>>> On Mar 13, 2006, at 11:11 AM, Dale Bengston wrote:
>>>>>
>>>>>> Hi Bob,
>>>>>>
>>>>>> I took mine right from the php.net's examples about uploading files:
>>>>>>
>>>>>> <http://us2.php.net/manual/en/features.file-upload.php>
>>>>>>
>>>>>> Here is their upload HTML form:
>>>>>>
>>>>>> <!-- The data encoding type, enctype, MUST be specified as below -->
>>>>>> <form enctype="multipart/form-data" action="__URL__" method="POST">
>>>>>>     <!-- MAX_FILE_SIZE must precede the file input field -->
>>>>>>     <input type="hidden" name="MAX_FILE_SIZE" value="30000" />
>>>>>>     <!-- Name of input element determines name in $_FILES array -->
>>>>>>     Send this file: <input name="userfile" type="file" />
>>>>>>     <input type="submit" value="Send File" />
>>>>>> </form>
>>>>>>
>>>>>> The three comment lines identify the big differences in this form 
>>>>>> and more traditional html forms. Note that the MAX_FILE_SIZE 
>>>>>> value is largely ignored by the browser, so you'll need to 
>>>>>> evaluate that after the file is uploaded (file size is part of 
>>>>>> the $_FILES array... see immediately below).
>>>>>>
>>>>>> Once uploaded, PHP stores info about the file in the $_FILES 
>>>>>> array. You can find the details of the elements of $_FILES on the 
>>>>>> page linked above, but the elements for the uploaded 'userfile' 
>>>>>> above are:
>>>>>>
>>>>>> $_FILES['userfile']['name'] The original name of the uploaded 
>>>>>> file on the client machine.
>>>>>>
>>>>>> $_FILES['userfile']['type'] The mime type of the file, if the 
>>>>>> browser provided this information. An example would be 
>>>>>> "image/gif". This mime type is however not checked on the PHP 
>>>>>> side and therefore don't take its value for granted.
>>>>>>
>>>>>> $_FILES['userfile']['size'] The size, in bytes, of the uploaded file.
>>>>>>
>>>>>> $_FILES['userfile']['tmp_name'] The temporary filename of the 
>>>>>> file in which the uploaded file was stored on the server.
>>>>>>
>>>>>> $_FILES['userfile']['error'] The error code associated with this 
>>>>>> file upload. This element was added in PHP 4.2.0
>>>>>>
>>>>>> The uploaded file lands in a temp directory, and you use php's 
>>>>>> move_uploaded_file() to relocate it to your appropriate web 
>>>>>> directory. You can also rename it and use the values in $_FILES 
>>>>>> check for different file types and file sizes (although the mime 
>>>>>> type thing isn't bulletproof).
>>>>>>
>>>>>> Things to watch out for: file and folder permissions on the final 
>>>>>> resting place for your uploads, since the www user has pretty 
>>>>>> limited access. Also, your php.ini file probably has a 
>>>>>> upload_max_filesize set to 2MB. If the PDFs being uploade are 
>>>>>> larger than 2MB, you'll need to up this value. If you're changing 
>>>>>> upload_max_filesize, you'll need to look at post_max_size too.
>>>>>>
>>>>>> Hope this helps,
>>>>>> Dale
>>>>>>
>>>>>>
>>>>>> On Mar 13, 2006, at 9:59 AM, Bob Patin wrote:
>>>>>>
>>>>>>> Does anyone have any code for writing a simple upload script in 
>>>>>>> PHP? I tried some code that I found online, but have been unable 
>>>>>>> to get it to work.
>>>>>>>
>>>>>>> I have a client who needs to put a form on their site so that 
>>>>>>> clients can upload PDF files directly into their web folder on 
>>>>>>> the web server.
>>>>>>>
>>>>>>> Any help would be greatly appreciated.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> Bob Patin
>>>>>>> Longterm Solutions
>>>>>>> bob at longtermsolutions.com <mailto:bob at longtermsolutions.com>
>>>>>>> 615-333-6858
>>>>>>> http://www.longtermsolutions.com
>>>>>>>
>>>>>>>   CONTACT US VIA SKYPE:
>>>>>>>      USERNAME: longtermsolutions
>>>>>>>
>>>>>>>   CONTACT US VIA INSTANT MESSAGING:
>>>>>>>      AIM or iChat: longterm1954
>>>>>>>      Yahoo: longterm_solutions
>>>>>>>      MSN: bob at patin.com <mailto:bob at patin.com>
>>>>>>>      ICQ: 159333060
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> FX.php_List mailing list
>>>>>>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>>
>>>>>> _______________________________________________
>>>>>> FX.php_List mailing list
>>>>>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>>> _______________________________________________
>>>>> FX.php_List mailing list
>>>>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>>>
>>>> _______________________________________________
>>>> FX.php_List mailing list
>>>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>>
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org <mailto:FX.php_List at mail.iviking.org>
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>   


More information about the FX.php_List mailing list